HIPAA Breach Lessons Learned

While no records were broken when it comes to number of health records disclosed per data breach, the top HIPAA breaches of last year still come with some hard lessons learned about technical and physical security. Learn from their mistakes and protect your healthcare organization from suffering the same fate:

While no records were broken when it comes to number of health records disclosed per data breach, the top HIPAA breaches of last year still come with some hard lessons learned about technical and physical security. Learn from their mistakes and protect your healthcare organization from suffering the same fate:

Who: Crescent Healthcare, a Walgreens company that manages and delivers pharmacy and nursing solutions in alternate site settings.What: Last December, someone broke into Crescent’s billing center and stole a desktop computer, according to HealthCareITNews.com and the HHS reported breaches data. The desktop computer may have contained names, addresses, phone numbers, Social Security numbers, health insurance data, birthdates and clinical diagnoses. Over 100,000 individuals were affected.Remediation: The company is retaining employees and service providers on security, and enhancing security policies and procedures.Lessons Learned: Don’t store ePHI (electronic protected health information) locally on devices. Storing health data in a secure, offsite HIPAA compliant data center with limited, protected access could have prevented this data breach. Check that your HIPAA hosting provider can supply a HIPAA report on compliance to ensure data is safe.

Two-Factor Authentication

Who: Howard University HospitalWhat: In early 2012, a former contractor that downloaded patient data (in violation of hospital policy) onto their personal laptop reported the theft of the unencrypted device from their vehicle. Names, addresses, IDs, medical record numbers, birthdates, admission/discharge dates and diagnoses information for over 66,000 patients were all saved locally on the laptop.Remediation: The hospital extended its policy of encrypting all laptops to include contractor data/laptops.Lesson Learned: Employee data security policies should cover all employees that have access to ePHI, not just full-time staff. Encrypting data is key. And again, keeping sensitive data off of devices and using a security tool like two-factor authentication for VPN (Virtual Private Network) access cuts down on risk of unauthorized access.

Who: Apria Healthcare, Inc., provider of home medical equipment.What: Last June, an Apria employee had their laptop stolen from their locked car – billing information for 65,700 patients was stored on the laptop’s hard drive.Remediation: Apria is working on its internal patient privacy security program and encrypting company laptops.Lesson Learned: Why do people leave laptops in their cars? Even if locked you’re running a big risk. Aside from that, employee security training may have raised awareness about the dangers of leaving electronics vulnerable, and again, keeping data off of portable devices.

Who: University of Miami HospitalWhat: Two employees were accessing patient information from registration ‘face sheets’ and may have sold information to a third party. Face sheets contain name, address, birthdate, insurance policy numbers and the reason for the visit. According to HHS.gov, over 64,000 individuals were affected.Remediation: The employees were identified and fired.Lesson Learned: Background checks and employee HIPAA training may have prevented this incident, but often insider threats are the most difficult to detect. File integrity monitoring (FIM) is a service that can be configured and customized to monitor certain folders and files in order to protect ePHI from being altered or destroyed, and fulfills the HIPAA requirement to implement hardware or software to record and examine activity in systems that contain ePHI.

While using the technical services of a HIPAA hosting provider may have prevented or reduced the risk of a data breach in the above top HHS breach cases of 2012, as a covered entity, you need to ensure you can trust your business associates’ security practices. Read Five Questions to Ask Your HIPAA Hosting Provider for a checklist of questions and answers.